Kerberos protocol is one of the popular security protocols used to authenticate the identities of the communication participants. The key distribution mechanism in this protocol is suitable for other secure applications. We formalize the protocol using CSP methods. Based on the formal model, the mechanism of the protocol is exposed to us clearly. Principles and tools support the verification of the formal model. In that way, we can prove that the system protected by the protocol is indeed secure as it declared. The reasons for security can be fixed out formally as a reference to analyzing other protocols.